FAQs regarding invalidity of the EU-US Safe Harbor Agreement

As a processor of personal data NGA Human Resources closely monitors all privacy and compliance regulations and will continue to keep clients informed about important changes, such as this recent ruling by the European Court of Justice and any subsequent
related developments.

In light of the European Court of Justice’s decision this week regarding the invalidity of the EU-US Safe Harbor Framework, NGA has prepared this FAQ document to address questions around the transfer of EU personal data to the USA.

What is the EU-US Safe Harbor Agreement?

According to the EU Data Protection Directive (Directive 95/46/EC), EU citizens’ personal data can only be transferred to a list of non-European Union countries that have been recognized by the European Commission as having an “adequate level of protection
for the data”.

As the U.S. is not currently part of this approved list, the European Commission (EC) and the U.S. Department of Commerce developed a Safe Harbor Agreement that allowed U.S. companies that are certified under the Safe Harbor framework to meet the “adequacy”
standard for privacy protection, and import data from the European Economic Area (EEA).

What was ruled by the European Court on Oct 6?

On October 6, the European Court of Justice declared the EU-US Safe Harbor Framework invalid, impacting the pact used by companies to transfer Europeans’ personal information to the U.S.

In summary, the European Court of Justice ruled that national regulators in the EU can override the 15-year-old Safe Harbor agreement and decide at the local level whether the transfer of personal data between their country and the USA meets the applicable
EU and national data protection requirements.

Is NGA Safe Harbor certified?

Yes. NGA Human Resources’ U.S entity, NorthgateArinso, Inc., has self-certified to the Safe Harbor framework since October 12, 2011. NorthgateArinso, Inc. complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set
forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. NorthgateArinso, Inc. has certified that it adheres to the Safe Harbor Privacy
Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view NorthgateArinso’s certification, please visit http://www.export.gov/safeharbor.

What happens now that the European Court of Justice decided that the Safe Harbor is invalid, and a new framework is not in place?

The EU-US Safe Harbor agreement is not the only framework approved by the European Commission that allows US companies to transfer personal data from the EU. US corporations can also meet the “adequacy requirement” established by the European Commission
by signing an appropriate Data Protection Agreement or “DTA”.

DTAs are contracts between the relevant entities which contain the model clauses that have been issued and approved by the European Commission for transfer of personal data from the EEA to a third country.

NGA has an intercompany DTA based on the EU model clauses between all NGA companies, and many of NGA’s customers have signed a DTA which covers the transfer of their relevant EU personal data to the US (as well as in some cases to certain other countries
not approved by the EU for data transfer). For these customers, the ECJ’s decision on Safe Harbour should raise little if any concerns.

NGA customers that have employees in the EU whose personal data may be transferred to the USA as part of the services the customers receive from NGA, and which have not have already signed a DTA covering these transfers, are strongly encouraged to sign
a DTA based on the model clauses. Please contact your local Account Management representative to request a DTA or amendment.

Follow us on Twitter

Malcolm Bennett

Malcolm Bennett has been NGA Human Resources Group Counsel and Company Secretary since January 2015. He was previously Associate General Counsel for over 13 years with IBM and previously held legal positions with CMS Cameron McKenna and BHP Billiton prior to that.

Malcolm has experience in managing teams/departments and structuring and negotiating complex commercial transactions in multiple jurisdictions – he now leads a small team of legal, compliance and security professionals for NGA HR across the globe.

He studied Law at the University of Cape Town and now resides in Manchester with wife and son.

Step 1 of 2

How many employees does your business have?*

1-1000

1.000-5.000

5.000-15.000

15.000+

What is your role?*

Name*

Step 2 of 2

Tell us about you

FirstLast

Company name

Country Dropdown

Country

Email address

Phone

Your Message

By submitting my personal data, I agree that NGA Human Resources may contact me via email and/or the phone number I have provided in this form. I understand that this information may include information related, directly or indirectly, to the product or service I am interested in, including, among others, invitations to webinars and events, studies, whitepapers, specialist articles and information on new or enhanced offerings. I am free to adjust or revoke my consent by clicking here at any time.